How to block an alert rule based on alert description
-
Thursday, May 27, 2010 5:08 PM
Hello,
I have a alert rule for " The AD Machine Account authentication failures report has data available" the problem is i want to see this alert when it happens, but I have a phone system that uses window nt(ugh), Well the pdc is raising this alert in its logs files, and thus sce 2010 rtm see's this and reports it as critical. But now sure how to block this notice because i want to block it for just the alert description of "The session setup from the computer old phone system failed to authenticate" I hope i am explaining this well, ask questions if you need to know more
All Replies
-
Friday, May 28, 2010 5:33 AMModerator
Hi,
Based on my research, I would to suggest you try the following:
1. Use Override:
How to Monitor Using Overrides in System Center Essentials
http://technet.microsoft.com/en-us/library/bb422787.aspx
2. Specify the group you want to monitor:
OpsMgr 2007: Monitor or rule targeted at computer group does not generate alerts
Hope this helps.
Thanks.
Nicholas Li - MSFT- Marked As Answer by Nicholas LiMicrosoft Contingent Staff, Moderator Friday, June 04, 2010 6:56 AM
- Unmarked As Answer by Tdar Saturday, June 26, 2010 2:08 PM
-
Wednesday, June 02, 2010 3:43 PM
if it's just one pc (entity) that's generating the error you can override as posted above, or override for a group if you want to ignore the alert for a large number of pc's, instead of doing them on a case by case basis. You can also go into the authoring pane and change the scope to AD monitors and modify the rule to NOT generate alerts. Either way works.
Tim
Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat. -
Wednesday, June 02, 2010 9:19 PM
So I am going to assume the answer is no, becuase I dont want to over ride the rule because it is our pdc, I just want to override it if the alert description says its for a certian system. So assumeing the answer is no
-
Thursday, June 03, 2010 1:09 PM
you would override the rule for the particular system, not your pdc. and override doesn't necessarily mean you disable it, but you can change it's behavior....like i posted above, you can change the properties of the monitor to not generate alerts. so the answer is yes.
Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.- Marked As Answer by Nicholas LiMicrosoft Contingent Staff, Moderator Friday, June 04, 2010 6:56 AM
- Unmarked As Answer by Tdar Saturday, June 26, 2010 1:58 PM
-
Saturday, June 26, 2010 2:07 PM
Tim,
Yes I can override the rule for a particular system but that will disable the rule out right for that system. the rule involved looks at the AD server for AD Machine Account authentication failures the server reports the problem about the client, but in my case only one client was affected(because its old NT and does not work with 2008 AD's) and the notice the server generates notifies me that that machine had a failed AD Machine Account authentication in the description field, so if there was a way to override a rule if the description field of the rule contains affected machine name then that is what I am looking for. But as of now that answer is no, so I not sure why Nicholas Li marked the post as the answer. because there is no answer that would work for this yet. In the mean time I did override the rule but it will not show me when I have any AD Machine Account authentication failures for other systems that are XP and beyond configured with AD 2008 non pre 2000 systems.David
-
Monday, June 28, 2010 1:34 PM
see here is the alert:
Date and Time: 6/28/2010 7:22:16 AM Log Name: System Source: NETLOGON Generating Rule: Report Collection - Machine Account Authentication Failures Event Number: 5805 Level: 
ErrorLogging Computer: SILVER.silver-systems.local User: N/A Description:
The session setup from the computer RS-700 failed to authenticate.
The following error occurred:
%%5
Event Data: 
View Event Data< DataItem type =" System.XmlData " time =" 2010-06-28T07:22:16.9752734-04:00 " sourceHealthServiceId =" FDEB3A51-A0F7-7BDB-8CD3-A357B1EA3D8F " >< EventData >< Data > RS-700 </ Data >< Data > %%5 </ Data >< Binary > 220000C0 </ Binary ></ EventData ></ DataItem > -
Wednesday, July 07, 2010 1:27 PM
Tim,
Yes I can override the rule for a particular system but that will disable the rule out right for that system. the rule involved looks at the AD server for AD Machine Account authentication failures the server reports the problem about the client, but in my case only one client was affected(because its old NT and does not work with 2008 AD's) and the notice the server generates notifies me that that machine had a failed AD Machine Account authentication in the description field, so if there was a way to override a rule if the description field of the rule contains affected machine name then that is what I am looking for. But as of now that answer is no, so I not sure why Nicholas Li marked the post as the answer. because there is no answer that would work for this yet. In the mean time I did override the rule but it will not show me when I have any AD Machine Account authentication failures for other systems that are XP and beyond configured with AD 2008 non pre 2000 systems.David
That doesn't make sense. If you created the override for one particular pc, it won't have any effect on any other machine.
Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat. -
Monday, July 19, 2010 1:10 PM
This rule is not genereated by the pc, it is generated by the server(logging computer: Silver....(thats the server), but the only place that it tells you what machine is affected it is in the Description field. So I cannot say if pc = "rs-700" because the pc field will never show the "rs-700" (client) it will show the server pc (silver).
I cannot diable the rule outright on silver because it provides a valuable service. if you can override rules based on the descsription field having content as 'whatever' that will allow me to fix this problem.
.png)
